Modification of the msPKIAccountCredentials

Last updated 9 days ago on 2025-01-22

Created 2 years ago on 2022-11-09

About

Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionData Source: Active DirectoryTactic: Privilege EscalationUse Case: Active Directory MonitoringData Source: SystemLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Exploitation for Privilege Escalation (T1068)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

winlogbeat-*logs-system.*logs-windows.*

Related Integrations

system(opens in a new tab or window)

windows(opens in a new tab or window)

Query

event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and
  winlog.event_data.OperationType:"%%14674" and
  not winlog.event_data.SubjectUserSid : "S-1-5-18"

Install detection rules in Elastic Security

Detect Modification of the msPKIAccountCredentials in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).